Patent Issued for Privacy management systems and methods (USPTO 11551174): OneTrust LLC

2023 JAN 27 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent by the inventors Brannon, Jonathan Blake (Smyrna, GA, US), Chennur, Rajanandini (Atlanta, GA, US), Clearwater, Andrew (Brunswick, ME, US), Hecht, Trey (Atlanta, GA, US), Johnson, Wesley (Atlanta, GA, US), Pavlichek, Nicholas Ian (Atlanta, GA, US), Philbrook, Brian (Atlanta, GA, US), filed on February 24, 2022, was published online on January 10, 2023, according to news reporting originating from Alexandria, Virginia, by NewsRx correspondents.

Patent number 11551174 is assigned to OneTrust LLC (Atlanta, Georgia, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“In implementing these privacy impact assessments, an individual may provide incomplete or incorrect information regarding personal data to be collected, for example, by new software, a new device, or a new business effort, for example, to avoid being prevented from collecting that personal data, or to avoid being subject to more frequent or more detailed privacy audits. In light of the above, there is currently a need for improved systems and methods for monitoring compliance with corporate privacy policies and applicable privacy laws in order to reduce a likelihood that an individual will successfully “game the system” by providing incomplete or incorrect information regarding current or future uses of personal data.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly.”

In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventors’ summary information for this patent: “A method, according to various aspects, comprises: (1) generating, by computing hardware, an incident information interface soliciting a first affected jurisdiction, a second affected jurisdiction, and incident information for an incident; (2) receiving, by the computing hardware via the incident information interface, an indication of the first affected jurisdiction, an indication of the second affected jurisdiction, and the incident information; (3) determining, by the computing hardware based on the first affected jurisdiction and the incident information, first incident response requirements for the first affected jurisdiction; (4) determining, by the computing hardware based on the second affected jurisdiction and the incident information, second incident response requirements for the second affected jurisdiction; (5) generating, by the computing hardware, an incident response interface including checklist items, wherein each checklist item of the checklist items corresponds to a corresponding requirement from the first incident response requirements for the first affected jurisdiction and a corresponding requirement from the second incident response requirements for the second affected jurisdiction; (6) providing, by the computing hardware, the incident response interface for display on a computing device; (7) detecting, by the computing hardware, an activation of a first checklist item of the checklist items on the incident response interface; (8) determining, by the computing hardware, a first incident response requirement from the first incident response requirements for the first affected jurisdiction corresponding to the first checklist item and a second incident response requirement from the second incident response requirements for the second affected jurisdiction corresponding to the first checklist item; (9) receiving, by the computing hardware, an indication of completion of the first incident response requirement and the second incident response requirement; (10) generating, by the computing hardware, a first incident disclosure report for the first jurisdiction, the first incident disclosure report including the indication of completion of the first incident response requirement; and (11) generating a second incident disclosure report for the second jurisdiction, the second incident disclosure report including the indication of completion of the second incident response requirement.

“In some aspects, the incident information comprises incident timing comprising at least one of an incident occurrence date, an incident occurrence time, an incident discovery date, or an incident discovery time. In other aspects, the first incident response requirement comprises a requirement to report the incident within a particular time based on the incident timing. In particular aspects, the first incident response requirements comprise generating a notification to an individual affected by the incident. In various aspects, generating the incident response interface comprises configuring the checklist items such that each checklist item is positioned on the incident response interface according to a respective priority determined based on the incident information. In particular aspects, the first incident disclosure report comprises at least one of a notification to a regulatory agency associated with the first jurisdiction or a notification to an internal organization. In some aspects, the method further comprises transmitting, by the computing hardware, the first incident disclosure report to a computing system associated with a regulatory agency associated with the first jurisdiction.

“A method, according to some aspects, comprises: (1) providing, by computing hardware, an incident information interface soliciting incident information for an incident and one or more affected sectors; (2) receiving, by the computing hardware via the incident information interface, the incident information and an indication of the one or more affected sectors; (3) accessing, by the computing hardware based on the incident information and the indication of the one or more affected sectors, an ontology mapping a plurality of incident response requirements to respective questions in a master questionnaire; (4) determining, by the computing hardware, data responsive to the questions in the master questionnaire based on the incident information; (5) determining, by the computing hardware and based on the ontology and the data responsive to the questions in the master questionnaire, an incident response requirement set for the one or more affected sectors; (6) providing, by the computing hardware, an incident response interface comprising a checklist, wherein a checklist item from the checklist corresponds to one or more requirements from the incident response requirement set; (7) detecting, by the computing hardware, an activation of the checklist item indicating a completion of the one or more requirements; (8) generating, by the computing hardware, an incident disclosure report for the one or more affected sectors, the incident disclosure report comprising an indication of the completion of the one or more requirements; and (9) providing, by the computing hardware, an interface for accessing the incident disclosure report.

“In some aspects, the method further comprises generating, by the computing hardware, the incident response interface by: (1) configuring a first selectable object corresponding to a first incident response requirement from the incident response requirement set; (1) configuring the checklist as a first checklist to include a first checklist item corresponding to a first subtask of the first incident response requirement a second checklist item adjacent the first checklist item and corresponding to a second subtask of the first incident response requirement; and (3) configuring a second selectable object adjacent the first selectable object and corresponding to a second incident response requirement from the incident response requirement set, the second selectable object being configured to access a second checklist corresponding a set of subtasks for the second incident response requirement.

“In a particular aspect, the method further comprises: (1) receiving, by the computing hardware via the incident response interface, selection of the second selectable object; and (2) in response to receiving the selection of the second selectable object, modifying, by the computing hardware, the incident response interface such that the second checklist obscures the first checklist. In other aspects, the method further comprises customizing, by the computing hardware, the incident response interface based on the data responsive to the questions in the master questionnaire by modifying an order of each checklist item in the checklist. In various aspects, the incident information comprises incident timing comprising at least one of an occurrence date of the incident, an occurrence time of the incident, a discovery date of the incident, or a discovery time of the incident. In some aspects, the one or more requirements comprise a requirement to report the incident within a particular time based on the incident timing. In other aspects, the one or more affected sectors comprises a health-related sector, and the incident comprises a health-related incident.”

The claims supplied by the inventors are:

“1. A method comprising: generating, by computing hardware, an incident information interface soliciting a first affected jurisdiction, a second affected jurisdiction, and incident information for an incident; receiving, by the computing hardware via the incident information interface, an indication of the first affected jurisdiction, an indication of the second affected jurisdiction, and the incident information; determining, by the computing hardware based on the first affected jurisdiction and the incident information, first incident response requirements for the first affected jurisdiction; determining, by the computing hardware based on the second affected jurisdiction and the incident information, second incident response requirements for the second affected jurisdiction; generating, by the computing hardware, an incident response interface including checklist items, wherein each checklist item of the checklist items corresponds to a corresponding requirement from the first incident response requirements for the first affected jurisdiction and a corresponding requirement from the second incident response requirements for the second affected jurisdiction; providing, by the computing hardware, the incident response interface for display on a computing device; detecting, by the computing hardware, an activation of a first checklist item of the checklist items on the incident response interface; determining, by the computing hardware, a first incident response requirement from the first incident response requirements for the first affected jurisdiction corresponding to the first checklist item and a second incident response requirement from the second incident response requirements for the second affected jurisdiction corresponding to the first checklist item; receiving, by the computing hardware, an indication of completion of the first incident response requirement and the second incident response requirement; generating, by the computing hardware, a first incident disclosure report for the first jurisdiction, the first incident disclosure report including the indication of completion of the first incident response requirement; and generating a second incident disclosure report for the second jurisdiction, the second incident disclosure report including the indication of completion of the second incident response requirement.

“2. The method of claim 1, wherein the incident information comprises incident timing comprising at least one of an incident occurrence date, an incident occurrence time, an incident discovery date, or an incident discovery time.

“3. The method of claim 2, wherein the first incident response requirement comprises a requirement to report the incident within a particular time based on the incident timing.

“4. The method of claim 1, wherein the first incident response requirements comprise generating a notification to an individual affected by the incident.

“5. The method of claim 1, wherein generating the incident response interface comprises configuring the checklist items such that each checklist item is positioned on the incident response interface according to a respective priority determined based on the incident information.

“6. The method of claim 1, wherein the first incident disclosure report comprises at least one of a notification to a regulatory agency associated with the first jurisdiction or a notification to an internal organization.

“7. The method of claim 1, further comprising transmitting, by the computing hardware, the first incident disclosure report to a computing system associated with a regulatory agency associated with the first jurisdiction.

“8. A method comprising: providing, by computing hardware, an incident information interface soliciting incident information for an incident and one or more affected sectors; receiving, by the computing hardware via the incident information interface, the incident information and an indication of the one or more affected sectors; accessing, by the computing hardware based on the incident information and the indication of the one or more affected sectors, an ontology mapping a plurality of incident response requirements to respective questions in a master questionnaire; determining, by the computing hardware, data responsive to the questions in the master questionnaire based on the incident information; determining, by the computing hardware and based on the ontology and the data responsive to the questions in the master questionnaire, an incident response requirement set for the one or more affected sectors; providing, by the computing hardware, an incident response interface comprising a checklist, wherein a checklist item from the checklist corresponds to one or more requirements from the incident response requirement set; detecting, by the computing hardware, an activation of the checklist item indicating a completion of the one or more requirements; generating, by the computing hardware, an incident disclosure report for the one or more affected sectors, the incident disclosure report comprising an indication of the completion of the one or more requirements; and providing, by the computing hardware, an interface for accessing the incident disclosure report.

“9. The method of claim 8 further comprising generating, by the computing hardware, the incident response interface by: configuring a first selectable object corresponding to a first incident response requirement from the incident response requirement set; configuring the checklist as a first checklist to include: a first checklist item corresponding to a first subtask of the first incident response requirement; and a second checklist item adjacent the first checklist item and corresponding to a second subtask of the first incident response requirement; and configuring a second selectable object adjacent the first selectable object and corresponding to a second incident response requirement from the incident response requirement set, the second selectable object being configured to access a second checklist corresponding to a set of subtasks for the second incident response requirement.

“10. The method of claim 9, further comprising: receiving, by the computing hardware via the incident response interface, selection of the second selectable object; and in response to receiving the selection of the second selectable object, modifying, by the computing hardware, the incident response interface such that the second checklist obscures the first checklist.

“11. The method of claim 8 further comprising customizing, by the computing hardware, the incident response interface based on the data responsive to the questions in the master questionnaire by modifying an order of each checklist item in the checklist.

“12. The method of claim 8, wherein the incident information comprises incident timing comprising at least one of an occurrence date of the incident, an occurrence time of the incident, a discovery date of the incident, or a discovery time of the incident.

“13. The method of claim 12, wherein the one or more requirements comprise a requirement to report the incident within a particular time based on the incident timing.

“14. The method of claim 8, wherein: the one or more affected sectors comprises a health-related sector; and the incident comprises a health-related incident.

“15. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein the processing device is configured to execute the instructions and thereby perform operations comprising: providing an incident information interface soliciting incident information for an incident; receiving, via the incident information interface, the incident information; accessing, based on the incident information, an ontology mapping a plurality of incident response requirements to respective questions in a master questionnaire; determining data responsive to the questions in the master questionnaire based at least in part on the incident information; determining, based on the ontology and the data responsive to the questions in the master questionnaire, an incident response requirement set for the incident; generating an incident response interface comprising a set of interactive elements, wherein each interactive element from the set of interactive elements corresponds to a respective requirement from the incident response requirement set; providing the incident response interface for display on a user device; detecting an interaction with a first interactive element of the set of interactive elements indicating a completion of the respective requirement; generating an incident disclosure report for the incident, the incident disclosure report comprising an indication of the completion of the respective requirement; and providing an interface for accessing the incident disclosure report.

“16. The system of claim 15, wherein: the set of interactive elements comprises: the first interactive element corresponding to a first incident response requirement from the incident response requirement set; and a second interactive element corresponding to a second incident response requirement from the incident response requirement set; and generating the incident response interface comprises positioning the first interactive element adjacent the second interactive in an order based on the data responsive to the questions in the master questionnaire.

“17. The system of claim 16, wherein generating the incident response interface comprises configuring the set of interactive elements such that each interactive element from the set of interactive elements is included in the set of interactive elements according to a respective priority determined based on the data responsive to the questions in the master questionnaire.”

There are additional claims. Please visit full patent to read further.

URL and more information on this patent, see: Brannon, Jonathan Blake. Privacy management systems and methods. U.S. Patent Number 11551174, filed February 24, 2022, and published online on January 10, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(11551174)&db=USPAT&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)